Low-level computer workers are the NSA’s weakness

A TV screen shows a news report on Edward Snowden, a former CIA employee who leaked top-secret documents about sweeping U.S. surveillance programs, at a restaurant in Hong Kong Wednesday, June 12, 2013. The whereabouts of Snowden remained unknown Wednesday, two days after he checked out of a Hong Kong hotel. (AP Photo/Kin Cheung)

WASHINGTON — In the vast, secretive world of U.S. intelligence — a realm of clandestine agents, voracious supercomputers and eagle-eyed satellites — the IT guy was the weakest link.

That vulnerability has been exposed in the past week by revelations that Edward Snowden, a 29-year-old contract worker at the National Security Agency, disclosed a secret court order and other classified information to two newspapers.

While top-secret data are protected by high-level security clearances and hidden in a maze of “compartments,” it’s not unusual for low-level systems administrators such as Snowden to have access to multiple databases, said Dale Meyerrose, a former chief information officer for U.S. intelligence agencies.

“Systems administrators typically have unfettered access within the system they operate,” he said. “The worst fear of any counterintelligence officer is a complicit insider.”

Snowden’s disclosure of programs to collect Internet and telephone data has raised questions about the extent to which the technicians who run classified government and corporate networks can rummage through them and elude security measures.

Intelligence veterans said they were shocked when they heard that an NSA leaker had made public an order from the Foreign Intelligence Surveillance Court, a top-secret, codeword- protected document that few officials would allowed to see and even fewer would be able to download and copy.

“I can’t remember having a FISA court order in my hand in six years at the National Security Agency,” said former NSA Director Michael Hayden, referring to the court that reviews surveillance measures under the more than three-decade-old Foreign Intelligence Surveillance Act.

While classified systems use measures including keystroke monitoring to prevent unauthorized access to information, a network administrator can write rules to get around such safeguards, Meyerrose said in an interview. He added that he doesn’t know whether that was what Snowden did.

Increasingly, systems managers are the people “who are the holders of the keys,” said Harvey Rishikof, a former senior adviser to the national counterintelligence executive.

There potentially are hundreds of thousands of systems administrators and analysts who can see classified information, Meyerrose said. Intelligence agencies and the contractors they rely on should re-examine who has access to what data, and whether better security controls are needed, he said.

“This is a human security problem,” Meyerrose said. “This is not a systems technology problem.”

Roscoe Howard Jr., a former U.S. Attorney, said he has no idea how Snowden, who worked at the NSA under government contractor Booz Allen Hamilton Holding Corp., wound up with a copy of the FISA court order on telephone data collection that was leaked to Britain’s Guardian newspaper.

Howard, who oversaw FISA requests sought by his office from 2001 to 2004, said only about six people would see an actual FISA order. If an order required a company to turn over data, only that company’s top officers would be notified and could see the order, though they wouldn’t get a copy, he said.

“The idea that this would be just sitting on a server somewhere borders on absurdity,” said Howard, who’s now a partner at Andrews Kurth in Washington. “He could have gone hunting for it, but it’s not something that’s put on an unsecured system.”

Howard said government contractors aren’t involved in seeking or carrying out FISA court orders.

“They may have clearances, but they’re not part of the NSA nor part of CIA,” he said. Federal officials are trained to make sure that sensitive material isn’t sitting in places where it can be easily accessed, he added.

Snowden’s actions are likely to spark a review of access rules and safeguards. The Obama administration has begun a damage assessment, standard practice after such events, to provide a basis for remedial actions, as well as potential prosecution.

Reconstructing how Snowden obtained the classified data would be part of that assessment, said Rishikof, now the director of cybersecurity and the law at Drexel University’s iSchool and Earle Mack School of Law in Philadelphia.

“One of the interesting questions is how he was able to exfiltrate this information off the system,” Rishikof said. “That is another part of the investigation.”

Sen. Saxby Chambliss of Georgia, the top Republican on the Senate Intelligence Committee, said in an interview that he’s bracing for Snowden to release more classified data.

“Apparently he’s got a thumb drive,” Chambliss said after a briefing Tuesday on Capitol Hill. “He’s already exposed part of it, and I guess he’s going to expose the rest.” Chambliss said he doesn’t know what’s on the thumb drive.

Jeremy Bash, chief of staff to former Central Intelligence Agency Director and Defense Secretary Leon Panetta, said investigators probably are examining two hypotheses.

One possibility is whether someone gave Snowden the FISA court document because it spells out the surveillance that’s permitted under the order. Network engineers and systems administrators, who execute the technical part of such orders, might have been granted access to the primary document to avoid errors in interpretation, Bash said.

Even as a junior person, Snowden may have held a clearance for the compartment that oversaw a particular surveillance program, Bash said.

“You need junior people to do all sorts of things, to include basic research, basic analysis, and systems administration,” he said. Snowden “appears to have been in systems administration, and those are the people that might have access to nearly everything because everything is done by computers.”

A second hypothesis is that Snowden didn’t have the authorized access and instead hacked into the system to steal data known as Sensitive Compartmented Information, Bash said.

“Those computers may be walled off, there may be security measures in place, but that means that people who build those systems and run the firewalls are the people who have access to a lot,” he said.

Meyerrose said it’s plausible that Snowden acted alone given that he seemed to access broad documents outlining the classified programs, not the actual data in the programs.

Systems administrators can see information in the networks they’re authorized to access, which could include multiple compartmented databases and even communications from the White House, Meyerrose said.

“The most valuable person in your whole system is the guy who can make it work,” he said. “They’re the ones that write the access rules and set up the process by which the networks work.”

Snowden was a former technical assistant for the Central Intelligence Agency and had worked for the NSA in the past four years for contractors including Booz Allen, according to the Guardian and the Washington Post, which said Snowden gave them the documents. Booz Allen, his most recent employer, said Snowden has been fired.

In an online video interview, Snowden portrays himself as a whistle-blower seeking to expose what he regards as the overly intrusive government surveillance. He released the FISA court order permitting the NSA to acquire information about telephone calls by Americans and a document explaining a program to mine data on foreigners’ use of the Internet.

While Chambliss said Snowden “overstated” his access to classified information, he and fellow Republican Sen. Lindsey Graham, R-S.C., called for a review of all top-secret, “need-to-know” classifications.

The NSA needs to review “everything from Top Secret clearances to the use of contractors to what different levels individuals have access to,” Chambliss said.

Graham suggested the creation of an internal-affairs division within the NSA, akin to the the internal-affairs units within police departments.

Security improvements could include requiring two people to sign off on access to sensitive and classified data, as well as putting profiles in place that would set off alerts if somebody overreaches, said Meyerrose, who founded his own security consultancy called the MeyerRose Group based in Colorado Springs, Colo. He declined to discuss any details about the Snowden investigation or classified programs.